Apologies for being a newb to this board!
There are many lists out there, and keeping up can be difficult. This post was brought to my attention and I see so much good info here I thought I would join and jump in when I can. I might as well start somewhere so here goes!
While I am not the one to ask about how much I like FTK 3(peers are a better judge), I do want to comment on the postings relating to FTK indexing it's own metadata.
Let me explain what is happening here
Several types of items do not have a raw stream of data to view in hex. For example many emails (including those from Lotus, PST, Exchange, and AOL) have no raw stream. On these file types, FTK generates an HTML rendering of the interpreted data.
When the user clicks on the hex view, FTK shows the hex view of the interpreted HTML stream that FTK generates, which is not metadata but interpreted content of the item within the compound binary. This is why you may be seeing HTML tags in some of the hex view.
Since FTK is built on a database (all versions), it has the ability to store these objects individually within the database. This gives the user the ability to not only obtain index search hits on them (such as JPEG Exif data, MS Word Summary Info, Link Files, rendered email, etc) but also obtain hits when searching "live" on the Live Search Tab.
Specifically when searching "live", you will receive hits on both the HTML and also the parent object such as the PST itself. The only exception here is if the data has been interpreted by FTK and does not exist within the parent object as text. In those cases you would have to be searching for the binary data in hex.
You will also see this notation in FTK generated HTML objects "This HTML was generated by AccessData using data parsed from "parent file name here". Please refer to that file for the original evidence."
I hope this helps clarify what is going on here.
Hey Guys,
I just wanted to let you know that I went ahead and pulled the trigger on FTK 3.0. I had to download the program with Filezilla, before I could get an uncorrupted download of the ISO for the Oracle and the FTK3.0 Application. I placed FTK3 on a clean clean install of Wndows Server 2008(with 8GB of RAM). I put the Oracle on a raid0 with 6TB. I was very patient and cautious when I installed the Oracle and waited about twenty minutes after each step. Once the configuration was complete, I restarted the computer before I installed the FTK3 application. I was pleasantly surprised that everything worked. I started my first exam on it and it's definetly 10 times better than FTK 2.1. (I have to agree with turtlecove, FTK2 was a great disappointment)
I was really skeptical that it would work the first time, but it did. Anyway, so far so good, I'll let you know if that changes.
Regards,
J